Digital Crime and Litigation Briefings

Menu

The medical field is particularly sensitive to legal liability, but that anxiety has not translated to better data management practices. Information chaos reigns in the healthcare sector.

UCLA Health System is the latest to be sued for a massive data breach, with 4.5 million plaintiffs asserting that they’ve been exposed potential harm because the UCLA medical facilities failed to encrypt patient records. The claims aren’t related to actual harm, but to potential harm.

Almost simultaneously, we see this from the 7th Circuit, in effect lowering the bar for data breach suits. In a class action against Neiman Marcus, plaintiffs claims both potential and concrete injury after a breach of credit card data. The court found an ‘objectively reasonable likelihood’ that they will suffer fraud and identity theft caused by the exposure of their data.

The court said, in effect, “Duh!” What else would motivate cybercriminals to steal credit card information? Plaintiffs satisfied the requirements to show a substantial risk of harm that’s traceable to the defendants, and for which there is redress, the court concluded. (The court did not acknowledge the Plaintiffs’ claims of concrete injury, bouncing those back to the lower court.)

The threat of litigation is forcing the business world to take security more seriously. But healthcare data won’t be easily buttoned up. It is an ever-present legal jeopardy, and will be for the foreseeable future.

For proof, we look to the doctors themselves, whose despair over electronic medical records has reached critical mass. At a town hall hosted last month by the American Medical Association, medical practitioners told bitter tales of “workflow problems, decreased productivity, lack of interoperability,” according to this story from the FierceHealth IT newsletter.

“We have a technology that brings graduate degree-educated people to their knees,” AMA president Steven Stack said. “There’s something not right here.”

The practitioners are complaining about the effect on patient service and medical outcomes, not about data security. But security flaws and poor information governance are also at hand, leading to unreliable records.

Frustrated and demoralized personnel working with a system they detest are less likely to follow best practices. Moreover, the technologies are are geared to meeting federal data-gathering goals, the doctors complain, not medical efficacy.

The result is an environment that cultivates poor data integrity, casting doubt on the data coming out of the system. Poor data integrity means questionable evidence.

All of this underscores the need for special care reconstructing medical data in advance of litigation.

Electronic medical records have varying degrees of reliability and accessibility. Defendants frequently claim they don’t have the records being requested, which may or may not be true.

When it comes to interpretation, what you see is not necessarily what the patient got. Printing out a report from a medical system or device is not an accurate representation of the record. Printouts produce only portions of the data, distorting it in ways that can damage both sides.

Yet such printouts are often presented as evidence in med mal cases. It’s an incomplete record at best, and therefore a poor representation of actual events.

Forensically preserved evidence is legitimate only when it’s presented in its native format — that is, the way it was created and stored in the system – a format the end user generally does not see. Native files produce the most accurate picture of what occurred in the past — which is the definition of forensics.

All of this can accrue to the favor of either side. Early preservation of electronic evidence is the key to sound discovery. Ask your expert to help you write a request that will produce native files.